Previous month:
November 2008
Next month:
January 2009

16 posts from December 2008

Submit And Vote For Worthy Ideas For Change In America

During the holiday break, I spent some time browsing the ideas submitted by citizens at the Ideas For Change In America site. Like anything else in life, some ideas were well-developed and others were confusing at best. While you may or may not have voted for President-elect Obama, I think that we can all agree that a democracy works best when citizens participate. That's the idea behind the Ideas For Change In America site: collect and prioritize citizen-submitted ideas to turn the broad mandate for change into specific policies.

While browsing the site after the Christmas holiday, I read a couple ideas regarding identity theft. The first:

"Immigration, Welfare, and Identity theft reform: I love immigrants, our country was built on the foundation that this is the land of opportunity. A concern is that illegal aliens are qualifying for welfare benefits without being required to follow through with the naturalization process. We have no right to be mad about this, because we (the people) set it up this way. Social Security numbers are NOT verified and sometimes not even required..."

The second:

"Allow Americans to Protect Their Identity: Do you realize it is estimated 7 million Americans have had their SSN stolen by illegal aliens? Do you realize that children' SSNs are considered the best id's to steal because it will be many years before the theft is discovered? Do you realize Americans who have had their SSN stolen (and it is estimated that each stolen SSN is used by 13 people), your credit is ruined, you can get stuck paying the thief's bills, and you permanently lose SS benefits you worked for? Do you realize that Americans are not permitted to check with Social Security to find out if someone else is using their SSN..."

Several months ago, I wrote a blog post exploring the issues when another person uses your Social Security Number. Are the above two ideas for change good ones?

Which ideas for change are important to you? Which ideas for change do you want the incoming President to consider? We get to decide as a group. At December 26, citizens had already submitted more than 5,100 ideas. Frankly, this is the type of citizen engagement tool Congressional representatives should have already been doing. The first round of voting ends December 31, 2008.

During the next few days, I plan to both vote on more proposed ideas and to submit some new ideas about identity theft, behavioral advertising, offshore outsourcing of consumers' sensitive credit report information, protections for consumers' IP addresses, Federal anti-skimming legislation, and corporate responsibility with post-data-breach helps help for breach victims. I hope that you will both submit ideas and vote on submitted ideas.

Is As Safe And Secure As It Says It Is?

Last week, a coworker asked me what I thought about the personal finance service site. Deanna asked me because, in her own words, "George, you are more paranoid than me." I spent several days researching and reviewing the site. Afterward, I began to wonder how safe and secure it really is.

If you aren't familiar with the site, it is an online service to help consumers manage their money. It is a free alternative for consumers who don't have the money to hire a personal financial adviser. Many consumers like since it mostly eliminates the manual data entry of financial transactions at your bank. According to the site, 600,000 people+ use with 2,000+ daily users, $50 billion in transactions, and $15 billion in assets. The site publishes an impressive list of reviews and awards, too.

My question is this: how safe is it to store all of your personal financial information in a single online site? Shelley Elmblad at answered the first part of that question with a comparison of desktop and online financial services software. The second part of the answer is specific to the site, which says:

"Mint does not ask for its customers' names, addresses or Social Security numbers. It establishes a one-way connection with the bank so that no money can be moved around... Mint works for you without requiring any personally identifiable information from you. Your Mint account is anonymous; set up requires only an email, password and zip code."

That sounds good. says that it uses the same physical and encryption security as the banks. While that might sound good, it's not 100% bullet-proof since some banks and financial companies (e.g., Ameritrade and Bank of America) have had data breaches, and some reports have documented flaws in the financial system. Plus, all of that online security won't necessarily prevent a a data breach by an inside job -- data stolen by an employee.

The site says that it's account setup doesn't allow to move money. It's a "read-only" service. That sounds good, but how safe is it really?

My skepticism with a service like this is that in order for a consumer to enjoy the full benefits of, he/she still must submit their bank sign-in credentials (e.g., ID and password) repeatedly so the software can import their latest financial transactions. And, a consumer must provide those credentials for every bank account and credit card account he/she wants to evaluate.

To learn more, I read several online reviews of at, TechCrunch, the Well-Rounded Woman, the Consumerist, the New York Times, and Brit Gardner. Afterward, I wished that all of these reviews had focused less on the features and more on the data security.

Since I started writing this blog, one thing I've learned is that my financial, bank account, and e-mail sign-in credentials are just as valuable as the sensitive personal data companies archive about consumers. An identity thief in possession of my sign-in credentials can still do lots of damage. They could use a brute-force method to determine which other sites they could sign in with the stolen sign-in credentials; and then sign in and steal the remainder of my sensitive personal data and money.

And, a data breach at would clearly be a huge disaster. While writing this blog, I also learned that identity thieves are smart and persistent. They will hack into sites that don't maintain current and effective security measures. They will hack into the electronic transmissions between sites and third-party sites. They will identify and attack both high-value sites and the consumers that use those sites.

One area that seems murky is what happens when things go bad when a consumer submits their Site B sign-in credentials at site A to use information retrieved from site B. What happens when site A suffers a data breach where site B sign-in credentials are stolen? Which site's company is liable: A or B? Which company will help the user with credit monitoring and recovery services? It seems unlikely that site B would provide assistance due to a breach at site A.

Think of it this way: when there's a credit card theft, I know that the credit card issuing bank will stand by me with help. Another example, when IBM suffered a data breach that exposed the sensitive personal data of its employees and former employees, it provided one year of free credit monitoring and recovery services to the other data-breach victims. What can I expect from a small start-up like Does have the resources to help, should things go bad? For me, it is important to know this upfront when deciding whether or not to register with a new financial services site, since data breaches unfortunately happen.

In the state where I live, companies are required to notify its customers after a data breach. While I could reasonably expect notification from if a breach happens, the law doesn't specify the level of post-breach help. So, I took a closer look at the Terms of Use policy to see what else a consumer can expect should things go bad:

"Mint cannot always foresee or anticipate technical or other difficulties which may result in failure to obtain data or loss of data, personalization settings or other service interruptions. Mint cannot assume responsibility for the timeliness, accuracy, deletion, non-delivery or failure to store any user data, communications or personalization settings... You agree and understand that you are responsible for maintaining the confidentiality of your password which, together with your LoginID e-mail address, allows you to access the Service... Your access and use of may be interrupted from time to time for any of several reasons, including, without limitation, the malfunction of equipment, periodic updating, maintenance or repair of or other actions that Mint, in its sole discretion, may elect to take... you grant Mint a limited power of attorney, and appoint Mint as your attorney-in-fact and agent, to access third party sites, retrieve and use your information with the full power and authority to do and perform each thing necessary in connection with such activities, as you could do in person."

So, customers authorize the site to act fully on their behalf, and assumes all risk for maintaining the security of all of their bank and financial service sign-in credentials. Nothing surprising there. However, there's more (bold added for emphasis):


Well, that seems pretty clear. If is hacked or breached, they aren't liable and the consumer is on their own to resolve the problem. While has every right to protect itself, there has to be a better balance with the needs of consumers. Based on the above copy, customers are on their own should a data breach happen.

Should you register for That's your decision and a decision only you can make. Only you know how much risk you are willing to tolerate.

My take: a consumer that uses any financial services site like absolutely has to make sure that their personal computer is properly protected, and that he/she creates and uses strong passwords. It'd be foolish to use the same sign-in credentials at that you use for your e-mail or at your online banking site.

Seems to me that sites like are high-value targets. Time will tell how effective's data security methods are. I hope that they are as effective as advertised.

Can Your Facebook Page Be Your Legal Residence?

We've all heard the advice: whatever personal data you place on the Internet is there forever. That means, to protect your sensitive personal data consumers must give serious thought to if and how you publish online personal data about yourself. Consider this recent ZD Net Between The Lines blog post:

"In Australia, an attorney who had been trying to catch up with a couple that was in default on their mortgage was having no luck by showing up at the house or sending e-mails to serve the couple with legal papers. But when the lawyer found the public profiles of the couple on Facebook, he asked for permission to serve the couple with the paperwork via the site... The judge, obviously convinced that the lawyer had the right people, said he would consider the couple served on Facebook if the lawyer also left the papers at their last known residence and sent them via e-mail."

If you think that Facebook will help consumers in this situation, think again. Yahoo Tech reported:

"In a statement, Facebook praised the ruling. "We're pleased to see the Australian court validate Facebook as a reliable, secure and private medium for communication. The ruling is also an interesting indication of the increasing role that Facebook is playing in people's lives," it said. The company said it believed this was the first time it has been used to serve a foreclosure notice."

A good friend is a process server here in Massachusetts. He always serves people in person and not online. But who knows? This could change and apply to other social networking sites.

Meanwhile, consumers are advised to pay your bills on time; and set your profile to private on the social networking sites you use.

Improved Site Search Mechanism at I've Been Mugged

Many I've Been Mugged readers read the archived posts to learn more about a product, service, or event. To make this easier and more effective, I've add the Lijit search mechanism to this blog. The new Lijit search box is in the column on the right.

Now, readers can easily search this blog on any words or phrases desired, such as "behavioral advertising" or "offshore outsourcing." The results page displays the matching I've Been Mugged posts. You can use the Comments section below to provide any feedback. I hope that you like this new search mechanism.

Data Breach At Auto Dealership Affects Thousands in New Hampshire And Massachusetts

Last week, the New Hampshire Union Leader newspaper reported the data breach at the Bill Dube Ford/Toyota dealership when computer data tapes were stolen. The stolen data included the:

"Personal information from thousands of people in New Hampshire and Massachusetts...The pilfered data include names, addresses, Social Security numbers and driver's license information, but no financial data such as credit card information, from customers at Bill Dube's dealerships in Dover and Wilmington, Mass."

The number of people affected by this data breach was estimated at over 10,000. It's unacceptable that, four months later, the dealership doesn't know the contents of the stolen data tapes. A computer security expert should have been hired to help determine the tape contents.

Also, the dealership was extremely slow to notify affected consumers since the theft was were discovered on August 5 and customers were notified in a letter dated December 5. That delay is totally unacceptable.

This breach is also noteworthy due to the crisis in the auto industry. As the U.S. Federal Government debates whether or not to provide bailout monies to the U.S. auto manufacturers, the result has implications for hundreds of auto dealerships.

Should one or more auto companies go out of business, the same would likely happen with hundreds of auto dealerships. Yes, hundreds of thousands of people could lose their jobs. Beyond that, the closing of auto dealerships raises the question about the data security of the sensitive personal data archived at those dealerships. Will those dealerships adequately protect that data? Will dealerships that go out of business effectively destroy sensitive data? Who is looking out for the consumers' interests?

Here's an idea. The oil companies should bail out the auto companies. Why?

First, the oil companies have huge amounts of cash. Remember the oil companies made record profits over the past few years as gas rose near $4.00 per gallon. Second, the oil and auto industries have a symbiotic relationship. One industry sells what the other industry's products consume. The oil companies have a stake in the health of the auto industry.

Third, it gets the Federal government out of the corporate bailout game, a place where government doesn't have the necessary skills and expertise. Fourth, it's an opportunity for oil companies to do something patriotic: save several major American companies and save thousands of jobs. Just think of the goodwill oil companies would collect.

You Are A Chump (Mugged By Wall Street, Round 2)

Congratulations to the workers at Republic Windows and Doors for standing up for their rights. Those workers made the connection between the Bank of America's lending in-action (after the Bank received bailout money expressly to facilitate loans), Republic's failure to pay them severance they were due by law, and the recent bailout of Wall Street firms. In the end, two banks finally did the right thing and lent Republic the money to cover the workers' severance pay, unpaid salaries, and health coverage.

What I read from this story: the marketplace does not correct itself. The trickle-down economics, started during the Reagan administration, has failed. Simply, greed gets in the way.

In the Republic Windows and Doors example, the bailout money given to the banks did not trickle down to the companies and workers as intended. In the example with AIG, after receiving bailout money AIG executives threw a huge party. These corporate and bank executives are proving that they can't be trusted to do the write thing... or are painfully slow to do the right thing only after much prodding and public humiliation.

It really pains me to write this. Follow the bailout hearings in Congress and you get a clear impression that Wall Street and bank executives probably view you as a chump. More precisely, they view all U.S. taxpayers as chumps. Why? We've allowed our elected officials (so far) to give the banks billions of dollars without any oversight, rules or guidelines.

I strongly urge you to watch this:

Bill Moyers Journal: Interview About the Financial Bailout with Emma Coleman Jordan.

The video is also available here. The video includes clips from the Congressional bailout hearings, including this exchange:

"REP. ELIJAH CUMMINGS: Mr. Kashkari, in the neighborhood I grew up in, in the inner city of Baltimore, one of the things that you tried to do was to make sure that you were not considered a chump. And what "chump" meant was that you didn't want people to see you as just somebody they could get over on. And I'm just wondering how you feel about an AIG giving $503 million worth of bonuses out of one hand, and accepting $154 billion from hardworking taxpayers. You know, because I'm trying to make sure you get it, you know? I mean, and you know what really bothers me is because - all these other people who are lined up. They say, well, is Kashkari a chump?"

There have to be guidelines, rules, and oversight along with any bailout, since corporate and bank executives have proven they can't be trusted to do the right thing. And those guidelines, rules, and oversight must have teeth: jail-time for executive violators and repayment of the money lent. What should those guidelines and rules be? Here's my list (which I sent weeks ago to my elected officials when the bank bailout was first discussed):

  • The bailout money for investment firms and banks cannot be used for political campaign contributions. It is for operational expenses only. Any violations and the money must be repaid and the executives go to jail
  • An investment firm or bank gets bailout money if the senior execs invest their own assets at risk in the investment firms
  • Senior executives' compensation in cash only, and capped at a $ amount or 50x multiple of the lowest worker's pay
  • Quarterly disclosure of how the senior executives are managing the bailout loan received
  • If the investment firm's or bank's profits exceed a threshold in 2 years, they must start repaying the taxpayers then and before any salary increases, bonuses, and stock dividends
  • Twice yearly auditing by a true independent third party... not just the firm's accounting firm. Any abuses and the executives go to jail
  • Any abuses and the investment firms do not receive any more bailout loans
  • Investment firms and banks receiving bailout monies are prohibited from making any corporate mergers or acquisitions
  • Investment firms and banks receiving bailout monies are prohibited from moving any (additional) jobs out of the country via offshore outsourcing
  • If the investment firms don't agree to these conditions, don't receive any bailout money
  • Bailout decisions are by a panel including the SEC Chairman, the Reserve Board Chairman, the Treasury Secretary, and several U.S. Senators; not a unilateral decision by the President

After you have watched the video, then write to your elected officials and tell them you are not a chump. Tell them that you demand effective oversight, guidelines, and rules governing any bailout money. Tell them that you expect the companies receiving bailout monies to be held accountable; executives to repay the money and to go to prison when they violate the rules. Otherwise, you will hold them accountable at election time.

Would You Trade Privacy For Auto Insurance Discounts?

Last week, I mailed to my insurance agent a form for the low-mileage discount. My wife and i drive less than 5,000 miles monthly yearly since I use mass-transit to commute to work. The form required me to disclose the car's odometer and to provide an explanation why we expect to drive less than previously.

I was comfortable with the form my insurance agent required. Then, I saw the MSNBC video below. The new proposed methods by insurance companies would required consumers to disclose far more than your mileage. a GPS device can track (and send to the recipient) your mileage plus everywhere you drive to. A smart recipient could compute your highway speed and issue speeding tickets accordingly. that's a lot of data to provide just for an insurance discount this year, which the insurance company could eliminate next year.

Plus, a data breach at an insurance company would expose far more data to identity thieves and criminals. Data breaches happen at insurance companies:*

  • April 2006: Progressive Casualty Insurance
  • April 2006: Aetna: 38,000 records exposed
  • June 2006: AIG: 930,000 records exposed
  • June 2006: Allstate: 2,700 records exposed
  • July 2006; Sentry Insurance, 112,270 records exposed
  • December 2006: Aetna, Nationwide, and Wellpoint via a vendor: 172,000 records exposed
  • October 2007; West Virginia Public Employees Insurance Agency: 200,000 records
  • March 2008: Sterling Insurance & Associates: undisclosed
  • May 2008: BB&T Insurance: undisclosed
  • June 2008: Texas Insurance Claims Service: unknown
  • September 2008: State Farm: 137 records exposed

Would you trade privacy for an auto insurance discount? Watch the following:

*Source: Privacy Rights Clearinghouse, Chronology of Data Breaches

Report: Cyber Criminals Selling Data About 21 Million German Consumers' Bank Accounts

What is your bank account data worth on the black market? This Germany data breach shows the value of sensitive consumer data. On Monday, IT World reported:

"Reporters for WirtschaftsWoche (Economic Week) managed to obtain a CD containing 1.2 million accounts after a November face-to-face meeting with criminals in a Hamburg hotel, according to the magazine. Posing as buyers working for a gambling business, the journalists were able to strike a price of €0.55 per record, or €12 million for all the data. They were given a CD containing the 1.2 million accounts when they asked for assurances that the information they would be buying was legitimate."

The cyber criminals offered to sell the sensitive consumer data (e.g., 21 million German bank accounts) for a reported 12 million Euros or about US $15 million. That's about US $ .70 per account, depending upon the exchange rate. Apparently, that is the low price:

"When sold in small quantities, full bank account details can fetch as much as $1,000 per record..."

That means, a criminal paying $1,000 for each consumer's stolen bank account data expects to steal at least that amount. What data was stolen, and how?

"That CD contained the names, addresses, phone numbers, birthdays, account numbers and bank routing numbers of the theft victims, they reported. In some cases, the victim's account balance was also provided. The data was most likely collected from call center employees, the magazine reports."

As I have written previously in this blog, there clearly are data security risks with offshore outsourcing and many U.S. companies, including the three national credit bureaus, outsource their call center operations. Also, even though the online passwords weren't included in the stolen data, the cyber criminals have enough personal data about the German bank account-holders to impersonate them, withdraw money from their bank accounts, and ultimately acquire (and/or change) the consumers' online passwords.

New Book Reveals How Google Collects Large Amounts of Data About Consumers

Recently, I wrote about the data breach at a Google service, and how Google compromises your privacy. Thanks to Bill G. for alerting me to this Boing Boing blog post.

Boing Boing reviewed the new book by Greg Conti titled, "Googling Security: How Much Does Google Know About You?" You can remove the question mark, since Google knows a lot about you, and probably far more than you realize:

"Conti enumerates all of Google's (often fantastic) services, describes how compelling they are, and then notes what information you disclose when you use them -- even when you only use them inadvertently (say, when you send email to someone with a Gmail account, or when you load a bookmarked Gmap that's been sent to a group of logged-in Google users, thus tying yourself to those users as part of the same group)."

The review was favorable:

"Conti's explanations are extremely accessible, even when discussing difficult and counter-intuitive subjects like cross-site scripting and cookies. Likewise accessible are his concrete recommendations for staunching the flow of personal information from your computer into Google's records. Finally, Conti does a great job of explaining why people who "have nothing to hide" might still want to keep their information to themselves... I've given the subject of privacy and Internet use a lot of thought, but even so, Conti's book opened my eyes to potential risks I'd never considered.

Put this book on your holiday gift list. It's on mine.

'Hard' Inquiries Will Negatively Affect your Credit Scores

While researching the three major credit bureaus, many months ago I learned that "hard" inquiries will negatively (e.g., temporarily reduce) affect your credit score. This Consumerist blog post contains the first good definition I've read of what constitutes a "hard" credit inquiry:

"A hard inquiry is when a person or organization requests your credit score and history and they intend to make a lending decision. Applying for a credit card? Hard inquiry. Getting approved for a car loan or mortgage loan? Hard inquiry. On your reports, each of the credit unions categorize these inquiries differently. TransUnion calls them "regular inquiries," Experian calls them "requests viewed by others," and Equifax calls them "Inquiries in the last 12 months." Hard inquiries usually drop your score by a few points for six months, then their effect is removed."

A "soft inquiry" is everything else. I don't worry about "hard" inquiries affecting my credit score because I have removed the causes. First, I opted out of pre-approved credit offers. Second, I placed a Security Freeze on my credit reports at the three national credit bureaus, so nobody can make a credit report inquiry without my consent. The primary reason I placed a Security Freeze on my credit reports was to protect my sensitive personal data since IBM exposed my identity data during its February 2007 data breach.

Florida State Agency Exposes Consumers' Sensitive Personal Data... Again

I usually don't write about data breaches, since there are plenty of blogs and web sites that track data breaches. However, this breach seemed worthy of a mention given the lack of organizational responsibility and accountability. Yesterday, the Sun-Sentinel reported:

"... the sensitive personal information of at least 250,000 Floridians was posted on a state government employment agency Web site... The Florida Agency for Workforce Innovation inadvertently posted on a test computer server or searchable database the names and Social Security numbers of people who sought services at the agency's One-Stop Career Centers between January 2002 and November 2007, agency officials acknowledged Wednesday."

The agency exposed the most sensitive of consumers' sensitive personal data: Social Security numbers. Plus, 250,000 is a lot of records to fail to maintain data security. While the workforce agency posted a notice on its web site about the data breach, it does not get extra credit for doing so since the State of Florida law requires notification of consumers after a data breach.

Rather, several disturbing questions remain unanswered by the agency. Why test a system with so many actual consumer records? The agency couldn't test with dummy data? What credit monitoring service was offered by the agency to its data breach victims? What employees and managers were held accountable? What consequences for those persons? What employee training was implemented to prevent future breaches?

And, this was not the first data breach by this agency:

"The incident is one of three known security breaches affecting Floridians this year and the second time the state's labor department reported exposure of personal sensitive information. In 2006, a workforce agency staffer in Tallahassee uploaded information to a test server when accidentally included the names and Social Security numbers of more than 4,600 people. The data was in cyberspace for 18 days before it was discovered..."

The newspaper also reported:

"Aaron Titus, information privacy director for Liberty Coalition, a consumer advocacy group based in Washington D.C., said he alerted the Florida employment agency shortly after he discovered the breach in October. According to Titus' analysis of the data, between 255,917 and 259,193 Social Security numbers were exposed including the Social Security numbers of 50 children... Titus copied the names whose information was posted and listed them on the National ID Watch's Web site -, a project under Liberty Coalition - to allow consumers to search for their names to see if their information had been exposed."

Congratulations to Aaron Titus for discovering the Florida state agency's data breach. Congratulations to the Liberty Coalition for advocating for consumer rights and for promoting consumer awareness regarding data breaches. Greater consumer awareness about data breaches and identity theft are both needed.

While the site is admirable in its effort to help consumers learn if their data has been exposed during unannounced data breaches, I have concerns about the site. First, it is the responsibility of the government agency or company to notify affected consumers, employees, and former employees after it suffers a data breach. Nothing should reduce that responsibility, especially since not all states currently require the notification of consumers after a data breach. I fear that some smaller businesses and government agencies may avoid notifying consumers if they know that a site like will notify consumers for them.

Second, I briefly looked at the Liberty Coalition's web site. It's great that the site attempts to cover the smaller data breaches that can easily go unnoticed and unreported. However, the name search mechanism could give misleading information, since many consumers share the same or similar names. Yes, the site provides disclaimers that the information is provided "as-is," but consumers may purchase credit monitoring services (or not) needlessly.

Frankly, I question the wisdom of copying the names of affected data breach victims as the Liberty Coalition did in order to update its database of data-breach victims. A better approach would be to maintain a publicly available database of companies and state agencies (and their senior executives) that fail to notify their data breach victims, especially in states that don't require notification.

New FTC Health Care Booklet and Web Site For Elders

To help elders and their families make good, informed decisions about their health care, the FTC has introduced the "Who Cares: Sources of Information About Health Care Products and Services" web site. According to the FTC press release, the new booklet and site are designed to help consumers:

"... find links to agencies and organizations that provide reliable information about generic drugs, hormone therapy, caregiving, surgery to improve vision, alternative medicine, hearing aids, Medicare fraud, and medical ID theft; learn how to spot misleading and deceptive claims; and find out who they can contact to ask questions, enlist help, or raise a concern about a health product or service that isn’t living up to its promise."

The "Scams 7 Frauds" section of the "Who Cares" website includes information about medical ID Theft and advice about how to protect yourself from Medicare fraud. Medical fraud is a growing problem for consumers.

If your elder family member doesn't have access to the Internet, they can order a free copy of the "Who Cares: Sources of Information About Health Care Products and Services" booklet by calling the FTC’s Consumer Response Center toll-free at 1-877-FTC-HELP.

Why You Can't Trust 'Friends' At Facebook

Earlier this year, I wrote about the class-action lawsuit against Facebook. Now, Mike Elgan at the ComputerWorld Network & Security blog, has written a very informative blog post describing in detail one of the severe security limitations at Facebook:

"... if you're like most Facebook users, you're certain those friends are exactly who they say they are. And you might be right. Or you could be wrong. They could be scammers posing as your friends. How hard is that, exactly? It turns out to be hideously easy..."

How the scam works:

"Step 1: Request to be "friends" with a dozen strangers on MySpace. Let's say half of them accept. Collect a list of all their friends."
"Step 2: Go to Facebook and search for those six people. Let's say you find four of them also on Facebook. Request to be their friends on Facebook. All accept because you're already an established friend."
"Step 3: Now compare the MySpace friends against the Facebook friends. Generate a list of people that are on MySpace but are not on Facebook. Grab the photos and profile data on those people from MySpace and use it to create false but convincing profiles on Facebook. Send "friend" requests to your victims on Facebook."
"Step 4: Step 4: Now, you're in business. You can ask things of these people that only friends dare ask... Facebook represents a perfect storm of fraud factors. The whole "friend" system creates trust, but the reality of social networks prevents verification that people are who they say they are.

After establishing your trust, the scammer will ask you to wire money to them or something similar.

"While pretty women can be dangled in front of thirtysomething and fortysomething men in order to separate them from their money, Dateline NBC's Chris Hansen can tell you that men target girls for crimes far worse. A growing number of police investigations are targeting men with fake Facebook profiles and fake photos, which always show the perp to be closer to the age of the victim. They strike up "friendships" with underage girls.

How can you protect yourself? Verify every 'Friend' request. Call, e-mail, or text message the person independently.